On February 16, 2016, Article 29 Working Party (WP29) issued an update on Opinion 8/2010 on applicable law. The update provides explanations concerning the applicable law in light of the Court of Justice of the European Union (CJEU) judgement’s in Google Spain (or Costeja case, C-131/12).
The ruling of May 13, 2015 held that EU data subjects have a right to obtain the delisting of links appearing in the search results based on their name. A right set forth by Directive 95/46/EC (the Directive) and that became to be known as “right to be forgotten”.
The judgment was groundbreaking under another perspective: it gave a broad interpretation of Article 4(1)(a) and allowed the application of EU data protection law in a case in which the controller was not established in the EU but it had here its advertising company and there was an “inextricable link’ between the processing activities and this advertising company.
With the updated document, WP29 clarifies the criteria that may trigger the applicability of the EU/national law also when
the data processing is carried out by non-EU entities. In particular, WP29 discusses the following two issues of concern for all those controllers that transfer data between Europe and non-EU countries.
Territorial reach of Directive 95/46/EC. The Google Spain judgement held that the Directive will apply where processing is carried out “in the context of the activities of an establishment” of the controller on the territory of a Member State. The WP29 explains:
Article 4(1)(a) does not necessarily require the processing of personal data in question to be carried out ‘by’ the relevant establishment itself, rather that it is sufficient if the processing is carried out ‘in the context of the activities’ of the establishment.
the activities of that local subsidiary may still bring the data processing within the scope of EU data protection law, as long as there is an ‘inextricable link’ between the activities of the local establishment and the data processing.
The activities of the Member State establishment have to be “the means of rendering the search engine economically profitable”. In practice, “without the advertising activities, which are facilitated by Google Spain SL, and similar Google subsidiaries across the globe, it would not be economically feasible for Google to offer its search engine services”. Thus, the Court concluded that
the processing of personal data in question is carried out in the context of the commercial and advertising activity of the controller’s establishment on the territory of a Member State, in this instance Spanish territory.
WP29 also highlights that the Directive applies when the EU branch or subsidiary “orientates its activity towards the inhabitants of that Member State. In Google’s case this means presenting Spain orientated advertising alongside the search results.”
WP29 goes ahead by highlighting that there could be an ‘inextricable link’ between the activities of the EU establishment and the data processing of the non-EU controller, “even if the local establishment is not involved in any direct way in the processing of data”. According to the CJEU – for example – when the local establishment raises revenues there could be an ‘inextricable link’ triggering the Directive’s application.
However, WP29 reminds that “each scenario must be assessed on its own merits, taking into account the specific facts of the case”.
Compliance with the ‘EU headquarters’ data protection law and/or with the national law of EU Member States of the ‘relevant’ establishment. WP29 tried clarifying whether, and to what extent, companies having a designated ‘EU headquarters’ (acting as a ‘controller’) need to comply also with the national law of other EU Member States in which the foreign company may have other ‘relevant’ establishments. In other terms, WP29 wonders whether Google Spain leads “to the application of several national data protection laws if the activities of several establishments of the same controller in the various Member States were ‘inextricably linked’ to the data processing?”
Which EU law? The Directive does not create a ‘one-stop-shop’ whereby it would only be the law of the Member State of the ‘EU headquarters’ that would apply to all processing of personal data throughout the EU. As a consequence, at the present stage, it “is not at all uncommon that a company headquartered in one EU Member State and having operations in multiple EU Member States would need to comply with the laws of each of these Member States”. This is also suggested in Weltimmo, another fundamental opinion recently rendered by the CJEU and concerning the applicability to foreign companies of EU data protection laws. More information on Weltimmo is available at http://www.technethics.com…
Conclusion. WP29 concludes with a very interesting takeaway:
The judgement provides useful clarification on two aspects: first, the judgement makes it clear that the scope of current EU law extends to processing carried out by non-EU entities with a ‘relevant’ establishment whose activities in the EU are ‘inextricably linked’ to the processing of data, even where the applicability of EU law would not have been triggered based on more traditional criteria. Second, the judgement also confirms that – where there is an ‘inextricable link’ – according to Article 4(1)(a) of Directive 95/46/EC, there may be several national laws applicable to the activities of a controller having multiple establishments in various Member States.
For more information, Francesca Giannoni-Crystal